U.S. second-largest alcohol distributor thwarts ransomware attacks

Overview

Test - Republic National Distributing Company (RNDC) is the second largest distributor of premium wines and spirits in the U.S. Its roots go back before Prohibition to a single distributorship founded in 1898 in Pensacola, Fla. Several family-owned businesses merged to form RNDC, which remains privately owned and committed to a family ethos that extends to business partnerships and corporate culture of more than 8,000 employees.

RNDC operates as the middle tier in a three-tier, state-based alcohol distribution system that went into effect following Prohibition. It operates as a product liaison between distinguished alcohol producers and retail customers that range from mom and pop liquor stores to the largest chains in the country. It operates a centralized and virtualized IT environment, and serves employee needs with a combination of private cloud and public cloud resources.

The information RNDC has in its network is the lifeblood of the organization, from orders in to orders out. If that information is hijacked and held for ransom, they can’t process any orders or make any deliveries. “We can’t load our trucks without free-flowing information from our order entry, warehouse automation and delivery routing systems. Without information, nothing moves,” said John Dickson, Director of IT Infrastructure at RNDC.

Challenges

RNDC relies on data flowing into the organization from thousands of external data sources, including mobile devices used by sales personnel. Information to and from customers and vendors adds to the complexity of securing the network. “With the free sharing of information between customers and vendors, network borders are melting way,” said Dickson. “We have to figure out new ways to protect against threats like ransomware from malicious actors and to keep them from accidentally harming our vendors.”

Dickson has seen an evolution in the number and severity of cyber threats that used to come from individual hackers trying to deface a website to organizations devoted to cybercrime for financial gain. “Advanced threats, like ransomware, have become more vicious. They go to the heart of your organization—your data. And without data, you cannot operate,” said Dickson.

The challenge for RNDC is that today’s hackers use the protocols a company runs every day to move throughout a network. “They look like regular users with very low privileges. They log onto multiple assets and move laterally across the network, then FTP your data out of your network,” said Doro Victor, Network Security Engineer at RNDC. “If you don’t have a way to detect this lateral movement, the hacker is already inside your network without your knowledge.”

In addition to network protection, RNDC needed security designed for virtualized environments, public and private clouds, and protection for servers and applications running on legacy hardware and operating systems that are no longer supported by vendors. This includes Microsoft® Windows® 2003 and Windows® XP servers.

“Trend Micro Deep Discovery is looking at those dark corners of the network to see if there is traffic that deviates from baseline. It gives us visibility into our network, so we can immediately see and shut down anything malicious before it becomes a problem.”

Doro Victor,
Network Security Engineer, RNDC

Why Trend Micro

A few years ago, RNDC experienced an attack that spread across their network and shut down operations for hours at a time. It delayed deliveries, damaged the company’s reputation, and consumed about 5,000 hours of personnel time. “Over the course of several weeks, our best internal minds and our security vendor at the time worked on the problem. But we were getting nowhere. We couldn’t identify the source of the outbreak,” said Dickson. Softchoice, a technology reseller, recommended him to Trend Micro™.

According to Dickson, within 45 minutes of plugging Trend Micro™ Deep Discovery™ into the network, he had every source of the threat identified and shut down. The demonstration also opened the eyes of the RNDC network and security teams to numerous other threats on the network. “We were shocked to see that our network had threats at every endpoint,” said Victor. Dickson was convinced of Deep Discovery™’s value.

“Advanced threats, like ransomware, have become more vicious. They go to the heart of your organization – your data. And without data, you cannot operate.”

John Dickson,
Director, IT Infrastructure, RNDC

Solution

With Trend Micro™ Deep Discovery™ threat detection, RNDC is instantly alerted to potentially malicious activity anywhere on their network. Covertly installed malware, such as ransomware, can’t hide. “Deep Discovery reads almost every protocol out there and can see the source and destination of any of those protocols,” said Victor. “It makes all the risk factors in our network known to us, so we can remediate problems before they become large.”

Deep Discovery™ uses advanced detection engines, custom sandboxing, and global threat intelligence from the Trend Micro™ Smart Protection Network™ to translate unknown activity in the network into intelligent, accessible information that RNDC can use to defend against stealthy, targeted attacks. “It can predict the source and future destination of an attack and correlate events to show a pattern rather than just capturing bits and pieces. This is particularly valuable for stopping threats and closing vulnerabilities that are spreading on multiple protocol levels,” said Victor.

While certain threats take years to gather data and insinuate themselves into the network, others, such as zero-day attacks, strike with lightning-fast speed. Today, RNDC uses Trend Micro™ Deep Security™ and relies on the intrusion prevention system (IPS) capability to shield servers and applications running on unsupported legacy hardware from these fast-moving malicious attacks. By protecting legacy boxes like Microsoft® Windows® 2003 and Windows® XP servers, Deep Security™ keeps vulnerabilities in legacy systems from impacting the rest of the network. “We can lock down those boxes while still virtualizing them off of their 10-year-old server systems,” said Dickson.

“Virtual patching is at the root of the Deep Security secret sauce. It allows us to make sure that nobody can hack an older box that is no longer patched by the vendor.”

John Dickson,Director, IT Infrastructure, RNDC

Results

Trend Micro™ Deep Discovery™ delivered a return on investment (ROI) within a year and alerted RNDC to as many as 10 attacks every day. Since implementing Deep Discovery™, RNDC has not experienced a single incident that has impacted their sales or shipping operations. “With visibility into the network, we can immediately react to situations that might prove harmful to the network, and we don’t have to worry that there’s traffic that is running across the network that we don’t know about,” said Dickson. “With the recent rise of ransomware attacks, we feel that we are protected with Trend Micro.”

Trend Micro™ Deep Security™ extends the life of legacy applications until the time RNDC can migrate them to a global deployment. RNDC also appreciates the single pane of glass Deep Security™ uses to display all security information. “It allows us to concentrate our limited resources where we need them most,” said Dickson. “We can concentrate on things that have to be handled manually while knowing that a majority of the systems are being taken care of proactively, and automatically.”

“Trend Micro Premium Support Services have been phenomenal. You get someone on the phone immediately, or immediate answers to your emails,” said Dickson, who sees the services as an extension of his security team. “There are people behind the scenes who really have your back,” he added.

What's Next?

With Trend Micro™ Deep Discovery™ providing insight into every corner of the network, and virtual patching capability of Trend Micro™ Deep Security™ for unsupported hardware, RNDC has taken major steps to close security gaps and ensure 24x7 service to customers. RNDC plans to extend Deep Security™ to hybrid and multi-cloud environments.

“We are starting to move into public cloud with Microsoft Azure and Amazon Web Services (AWS), and need to provide protection in those environments. Deep Security will allow us to expand our use of cloud-based applications and protect them under the same pane of glass that we use to protect our virtualized on-premises systems,” said Dickson.